Privacy Amendment Bill 2016: cause and effect

The new parliamentary year may see amendments to two key pieces of legislation that didn’t make it into the final sittings of 2016.

A voluntary regime currently exists, where if your information architecture is compromised you can report it to the Privacy Commissioner. This Bill seeks to formalise and make reporting it compulsory. However, the legislation hinges on three things: a lack of clarity of the terms “real risk” and ‘serious harm’ and the word ‘suspect’.

For marketers this means acting with caution when using de-identified government data in targeting customers and developing plans.

The first is the Privacy Amendment (Notifiable Data Breaches) Bill 2016. This Bill seeks to make notification to the Office of the Australian Information Commissioner (AKA the Privacy Commissioner) mandatory should you ‘suspect’ that your data has been compromised and there is ‘real risk’ of ‘serious harm’ as the data has been compromised.

The second – the Privacy Amendment (Re-identification Offence) Bill 2016 – was quietly introduced by the Attorney General in October and seeks to make the re-identification of government datasets a criminal (as opposed to civil) offence. It’s possible this legislation could create a ripple effect. One of the keys is that it makes almost anyone involved in an alleged activity an accessory and therefore potentially chargeable under the Act.

Clarity of terms just makes sense to allow business to ensure compliance. However, as the legislation is framed, it appears that all you need do is have a suspicion that your data has been compromised and you will be compelled to inform the OAIC.

We are passionate about ensuring that data is safely and securely stored. However, we become concerned about any regulation that compels businesses to a mandatory regime process without proof that a breach has occurred.